Antivirus Information for IT Support Staff

1. Product Information

Oxford University is licenced to use a number of the security products available from Sophos. Registered Oxford University IT Support Staff (register via Self-Registration) are able to access all of the products available under the current licence; selected products are also available to any member of the University. This page outlines the various products available, and includes information on the main features and links to download locations.

The following products are available.

1.1. Endpoint Security and Control Suite

This suite of products includes the following components.

Sophos Anti-Virus

Enterprise Console 3

Sophos Client Firewall

Network Access Control

Sophos Mobile Security

The Enterprise Console component installs to a Windows server and allows you to update, manage and monitor installations of Sophos Anti-Virus from a central console. Managed systems may be running Windows, OS X or Linux. Systems may be grouped as required and policies that specify the way in which Sophos updates, scans and disinfects systems can be configured and deployed from the central console. Other features include reporting and synchronisation with Active Directory.

If you want to be able to fully manage and monitor the Sophos installations on all of your managed server and desktop systems, this is the product for you. Although the console requires a Windows server to run, it will allow you to manage Sophos installations on Windows, OS X and Linux. It will also manage update sources (but not allow monitoring or configuration of policies) for a number of other platforms such as Netware and various flavours of unix.

The Sophos Network Access Control (NAC) component requires Sophos Enterprise Console 3.1. Note that the version of Sophos NAC that is included in the Sophos Endpoint Security and Control Suite is not as fully featured as Sophos NAC advanced (which is not included in the site licence). Sophos provide a feature comparison list on their website.

Sophos Mobile Security is a self-contained package that supports a number of Windows Mobile editions. Sophos provide an overview which includes a list of the editions supported.

Registered Oxford University IT Support Staff can download components of the Sophos Endpoint Security and Control Suite from the IT Services ITSS Downloads site.

1.2. EMail Security and Control

Sophos PureMessage is included in the Sophos site licence and provides virus and spam checking for Microsoft Exchange servers (2003 and 2007), and for Notes Domino (R6.5 and R7).

If you are using PureMessage on Exchange, please read the following Sophos advisory as a hotfix is required for some installations.

1.3. Standalone Sophos Anti-Virus Products

Unconfigured standalone installers are available for a wide range of platforms including Windows (from 95), OS X, Linux, Netware and various flavours of unix. These are appropriate for departments and colleges that are not able or do not wish to run the full EndPoint Security and Control suite.

The standalone versions for Windows, OS X and Linux are also available preconfigured with credentials to allow them to automatically update from Sophos. These are designed to be easy to install with no configuration needed. They are available for Windows 2000/XP/2003/2008/Vista, OS X and certain versions of Linux. Two editions are available â University and Personal.

University Edition

The University edition is for use on machines owned by the Collegiate University only. It may not be installed on machines owned by individuals. Three versions are available, for Windows 2000/XP/2003/2008/Vista, OS X and Linux. These clients are configured to update directly from Sophos using credentials that will not expire.

Personal Edition

The Personal edition is for use on laptops and desktops machines owned by individuals who are members of the Collegiate University. Again three versions are available, for Windows 2000/XP/Vista, OS X and Linux. These also update directly from Sophos; however the credentials used expire on an annual basis (generally in November). This ensures that people who leave the University cannot continue to update Sophos once they are no longer entitled to. A new version with updated credentials is normally available from August or September each year and should be downloaded and installed before the old credentials expire in order to maintain access to updates.

If you are not sure which edition of the installer you have, or which edition is installed on a Windows PC, there are a number of ways to tell. For the installer, when run it will first unpack its files and then present a splash screen with a button to start the installation. At the bottom of this screen you will see For Personally-Owned PCs or For University-Owned PCs. For any operating system, once installed, you can tell from the username used to download updates from Sophos. Current usernames are shown in the IT Support Staff wiki(restricted access).

Credentials to allow updating of unconfigured versions direct from Sophos are available to registered Oxford University IT Support Staff from the ITSS Support Staff site

NB Personal editions should be downloaded by the individual who is going to use the software, to ensure that they have registered to use the program, and have agreed with the terms of use. Registration also ensures that they are included on the mailing list used for announcements (such as new versions and warning of credentials expiring).

Queries, particularly relating to Oxford-specific Sophos services, such as the preconfigured clients, credentials, distribution etc. can be submitted to IT Services via the normal help channels (include ITSS in the subject for priority support.)

2.1. Current Sophos Product Advisories (updated automatically)

3. Known Issues

3.1. Automatic update fails on Windows 2000/XP/2003/Vista systems

Problem: When a major update is released by Sophos which causes the product to re-install, this update might fail to apply.

Cause: There can be a variety of causes but this is most likely to occur because of changes to registry key permissions. Some programs alter the default registry permissions to ensure a successful installation. The common method is to replace the default windows permissions on HKLM and/or HKCR with a single entry: the Everyone group with full control. Sophos requires the Administrators group to have full control of both of these keys. Problems with HKCR are rare; problems with HKLM are more common.

Resolution: The latest versions of the personal and university installers will correct any permissions problems on HKLM, so reinstalling using the appropriate installer will normally correct the problem. If you are using Enterprise Console, or the problem is with HKCR, you will need to correct the problem manually or via a script. Run regedit, in turn, right-click the HKLM and HKCR hives and check the permissions. For each of these keys there must be an explicit entry for the Administrators group with permissions of Full Control. Reinstate any missing entries.

3.2. Installation fails because of insufficient permissions on registry keys

Problem: In a similar fashion to the above scenario of Sophos failing to update, Sophos will also fail to install if the HKLM and HKCR hives do not have full rights assigned to the Administrators group. Sophos can fail to install at various stages depending on exactly where the permissions fault lies. It can fail almost immediately, or appear to install successfully but fail to produce the blue shield in the System Tray.

Cause: Some programs alter the default registry permissions to ensure a successful installation. The common method is to replace the default windows permissions on HKLM and/or HKCR with a single entry: the Everyone group with full control. Sophos requires that the Administrators group has full control of both of these keys. Problems with HKCR are rare; problems with HKLM are more common.

Resolution: The latest versions of the personal and university installers will correct any permissions problems on HKLM, so reinstalling using the appropriate installer will normally correct the problem. If you are using Enterprise Console, or the problem is with HKCR, you will need to correct the problem manually or via a script. Run regedit, in turn, right-click the HKLM and HKCR hives and check the permissions. For each of these keys there must be an explicit entry for the Administrators group with permissions of Full Control. Reinstate any missing entries.

3.3. Installation or automatic update fails because another antivirus product is detected

Problem: Over the last few months we've seen a number of users who cannot install the v7 client due to the presence of another antivirus product on the system. The same problem may also be seen when Sophos tries to update automatically to a new major version (e.g. v6 to v7). The symptoms for a failed installation are as follows.

Sophos appears to install fine from the Installer, but the shield is grey with a red cross.

The C:\Program Files\Sophos folder only contains the folder AutoUpdate.

For cases where an update fails, the shield will generally be blue but with a red cross, and C:\Windows\temp contains the file Sophos Anti-Virus Competitor List.txt.

Cause: Sophos will not install or update to a new major version if a competitor antivirus product is installed. Sophos will also fail to install completely if residue from a previous antivirus product is detected on the system.

Resolution:

Ensure any previous antivirus products are uninstalled. If no other antivirus products appear to be present, the file Sophos Anti-Virus Competitor List.txt will detail any remaining registry keys which have been left which still need to be cleared before Sophos will install.

Reboot.

Run the Sophos installer once again.

3.4. Cannot create scheduled scans

Problem: Users cannot create scheduled scans, and see an error message referring to the use of an incorrect password, or one does not conform to policy, as shown below.

Cause: The Sophos client uses the Windows Scheduler service when configuring scheduled scans. By design the Scheduler service does not allow blank passwords irrespective of the local password policy.

Workaround: Users must set a non-null password in order to configure a scheduled scan.